zias/stats
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

🙊 escape sql strings

Browse Source
This commit is contained in:
Carl-Gerhard Lindesvärd
2024-03-28 15:57:13 +01:00
parent 40b98f36a4
commit ecf68463c9
16 changed files with 104 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/api/src/controllers/event.controller.ts
View File

@@ -5,6 +5,7 @@ import { isUserAgentSet, parseUserAgent } from '@/utils/parseUserAgent';
import { isSameDomain, parsePath } from '@/utils/url';
import type { FastifyReply, FastifyRequest } from 'fastify';
import { omit } from 'ramda';
import { escape } from 'sqlstring';
import { v4 as uuid } from 'uuid';
import { generateDeviceId, getTime, toISOString } from '@openpanel/common';
@@ -103,7 +104,7 @@ export async function postEvent(
const [event] = await withTiming(
'Get last event (server-event)',
getEvents(
`SELECT * FROM events WHERE name = 'screen_view' AND profile_id = '${profileId}' AND project_id = '${projectId}' ORDER BY created_at DESC LIMIT 1`
`SELECT * FROM events WHERE name = 'screen_view' AND profile_id = ${escape(profileId)} AND project_id = ${escape(projectId)} ORDER BY created_at DESC LIMIT 1`
)
);
@@ -212,7 +213,7 @@ export async function postEvent(
'Get session start event',
Promise.all([
getEvents(
`SELECT * FROM events WHERE name = 'session_start' AND device_id = '${deviceId}' AND project_id = '${projectId}' ORDER BY created_at DESC LIMIT 1`
`SELECT * FROM events WHERE name = 'session_start' AND device_id = ${escape(deviceId)} AND project_id = ${escape(projectId)} ORDER BY created_at DESC LIMIT 1`
),
findJobByPrefix(eventsQueue, `event:${projectId}:${deviceId}:`),
])

3
apps/api/src/controllers/live.controller.ts
View File

@@ -1,4 +1,5 @@
import type { FastifyReply, FastifyRequest } from 'fastify';
import { escape } from 'sqlstring';
import type * as WebSocket from 'ws';
import { getSafeJson } from '@openpanel/common';
@@ -19,7 +20,7 @@ export async function test(
reply: FastifyReply
) {
const [event] = await getEvents(
`SELECT * FROM events WHERE project_id = '${req.params.projectId}' AND name = 'screen_view' LIMIT 1`
`SELECT * FROM events WHERE project_id = ${escape(req.params.projectId)} AND name = 'screen_view' LIMIT 1`
);
if (!event) {
return reply.status(404).send('No event found');